fix(security): tighten production CSP and validate CSRF allowedOrigins

- CSP: use 'self' for defaultSrc/scriptSrc instead of blanket 'https:'
  to prevent XSS payload injection from arbitrary HTTPS domains
  (aligned with OWASP and Helmet defaults)
- CSRF: validate allowedOrigins entries with new URL() and warn on
  malformed entries instead of silently adding them

Signed-off-by: Pawel Kosiec <pawel.kosiec@databricks.com>

Author: pkosiec

packages/appkit/src/plugins/server/security/csrf.ts

@@ -39,7 +39,14 @@ function buildTrustedOrigins(config?: CsrfConfig): Set<string> {
   }
 
   for (const o of config?.allowedOrigins ?? []) {
-    origins.add(o.toLowerCase().replace(/\/$/, ""));
+    try {
+      origins.add(new URL(o).origin.toLowerCase());
+    } catch {
+      logger.warn(
+        "CSRF allowedOrigins entry is not a valid URL: %s — skipping",
+        o,
+      );
+    }
   }
 
   for (const o of parseEnvOrigins(process.env.APPKIT_CSRF_ALLOWED_ORIGINS)) {

packages/appkit/src/plugins/server/security/index.ts

@@ -34,14 +34,14 @@ function getDefaultHelmetOptions(isDev: boolean) {
   return {
     contentSecurityPolicy: {
       directives: {
-        defaultSrc: ["https:", "wss:"],
-        scriptSrc: ["https:"],
-        styleSrc: ["'self'", "https:", "'unsafe-inline'"],
-        imgSrc: ["https:", "data:"],
-        fontSrc: ["https:", "data:"],
+        defaultSrc: ["'self'"],
+        scriptSrc: ["'self'"],
+        styleSrc: ["'self'", "'unsafe-inline'"],
+        imgSrc: ["'self'", "https:", "data:"],
+        fontSrc: ["'self'", "https:", "data:"],
         objectSrc: ["'none'"],
         baseUri: ["'self'"],
-        connectSrc: ["https:", "wss:"],
+        connectSrc: ["'self'", "https:", "wss:"],
         frameAncestors: ["'none'"],
       },
     },